Author: crossenetborowsky

It’s a fact: data hacking and computer fraud are in a permanent evolution.  The increased number of attacks linked to cyber terrorism has been making headlines these past few years. In some instances, such attacks have had disastrous consequences for the targeted companies, from both a financial and reputation perspective.

For example, in May 2014 eBay had personal data from over 233 million clients stolen. More recently, over two million of personal data information belonging to the subscribers of the national broadcaster, TF1’s were hacked.

Cyber-threats are capable of silently and efficiently infecting on an extremely large scale without distinction as to the branch of activity, the size of the company or location.

However, the French data protection act (the “Act”) requires that companies which process personal data “ensure the security of the data and in particular prevent them from being distorted, damaged or accessed by unauthorized third parties” (cf. article 34) or they could face sanctions up to 5 years in prison and a 300.000 euros fine (1.500.000 euros for companies). This sanction can be further increased by damages payable to the victims of such leaked and thus may be the subject of class action suits which are now authorized in France. These attacks are all the more problematic given that insurance companies are increasingly refusing cover cyber-attack risks in their civil liability coverage.

Faced with the ingenuity of the hackers and the fact that security measures become obsolete even before they are implemented, how can companies respect the obligations relating to data protection and avoid the sanctions?

The Act requires data controllers to take all “necessary measures” and accordingly must implement all adapted technical and organizational measures in order to guarantee the security, the integrity, and the confidentiality of the data. Data controllers will be exonerated from any liability to the extent that they have properly implemented such measures.

Unfortunately, there are no lists of which technical measures should be put in place in general or in respect of any particular data. In any event, in light of the rapidity with which the technology is evolving, such a list would soon be irrelevant.

As a result, in order to avoid sanctions, the data controller will have to:

  • Always keep up to date with the new technology and the technical measures that can counter cyber attacks;
  • Implement these technical measures if they are adapted to the processing in question;
  • Follow the CNIL recommendations regarding security;
  • Raise awareness at all levels throughout the company with respect to issues linked to the protection of personal data (56% of French companies that suffered attacks revealed that they were perpetrated by someone in-house); and
  • manage employees while still respecting their right to privacy.

It is also important to underline the fact that the data controller could still be held liable for the pirating of data managed by a subcontractor (data processor), such as a hosting service provider. Accordingly, it is of the utmost importance to contractually require that every subcontractor implement strict security measures (but in any event, no less stringent than those internally implemented by data controller).

A vast majority of subcontractors being based abroad or using adhesion contracts; such process can prove to be difficult but remains absolutely necessary.

0

Questions relating to the applicable law and identifying the correct defendant are particularly complex when the dispute concerns the Internet, and in particular when dealing with data protection issues.

Consider the following hypothesis: a data controller (website publisher, ISP, search engine, etc.) is located on foreign soil, but has a subsidiary in France that is potentially liable for the failure to respect data privacy rights of a French Internet user.

The French Internet user who intends to bring an action against the data controller must ask himself the following questions:

  • Is French law applicable to rule on the liability of the data controller?
  • Which entity must the French Internet user sue? Can he hold the French subsidiary liable for the violation the data privacy rights he suffered?

These questions were answered very recently by the courts of Paris, in two summary judgments rendered on September 16th, and December 19th of 2014, relating to the search engine giant Google. In both cases, individuals, invoking their right to be forgotten, asked Google to remove certain hyperlinks.

1/ Regarding the Applicable Law

It should first be noted that article 5 of the French Data Protection Act (dated January 6th, 1978) provides:

« The processing of personal data is subject to this act when:

The data controller is deemed to be established on French territory. The data controller who carries out his activity on French territory within an establishment, whatever its legal form, is considered established on French territory ».

Accordingly, pursuant to this Article, the establishment on French soil by a data controller renders French law applicable.

What of Google?

It is first important to note that the processing of personal data via Google’s search engine is directed and controlled by Google, Inc., based in the United States. The American giant only uses its subsidiaries (including its French subsidiary) to promote, facilitate, and carry out the sales of its online advertising products and services in the country in which the subsidiary is established. Such a subsidiary does not perform any processing of personal data.

However, the Paris civil court of first instance, held that notwithstanding that Google France does not perform any data processing, it qualifies as an establishment under article 5-1 of the French Data Protection Act because its activities relate to the sale of advertising space are inextricably linked to those of Google Inc. that operates the search engine.

French law is consequently applicable in respect of the data processing performed by Google.

2/ Which entity to sue?

Now that we have resolved the question of applicable law, it remains to be determined against which company legal action should be taken. In this respect, the above-mentioned summary judgments of the Paris civil court of first instance are in complete opposition.

In its summary judgment dated September 16th, 2014, the Court held that the plaintiff’s claims against Google France were admissible and ordered the company to remove several links to content deemed defamatory.

The Court advanced arguments previously formulated by the ECJ in its notworthy decision dated May 13th, 2014, that established the right to be forgotten, and in particular noted that:

  1. If Google Inc. is in fact the operator of the search engine, the activity of Google France, its wholly-owned subsidiary, which sells advertising space connected the U.S. search engine, finances Google Inc. through such activities.
  2. The “activities of the operator of the search engine and those of its establishment located in the Member State are inextricably linked”.

On the other hand, surprisingly, in its most recent summary judgment, dated December 19th, 2014, the Paris court held that the right to be forgotten could only be exercised against Google, Inc. given that Google France does not exploit, whether directly or indirectly, the search engine, and does not qualify as the data controller.

As a result, the question of which entity to sue, that seemed to have been resolved by the ECJ, remains unclear. Until such time as there is established case law on the matter, any plaintiff who wishes to invoke the right to be forgotten by removing links to defamatory content, would be prudent to sue both Google France and Google, Inc.

The current legal uncertainty is problematic for any potential plaintiff who will be compelled to sue Google, Inc. and will thus be faced with long and expensive court proceedings. Further, in the event of legal action, the plaintiff will have to endure the damaging articles published online for a longer period of time.

0

Press agencies, publishers, and photographers’ unions signed on July 15th, 2014 a code of good professional practices aiming at setting a framework for the compensation of photographers when their images are published in the news, and at regulation the exploitation of photographs. In the event that these rules are not respected, the code provides for damages to the benefit of photographers, coupled with a decrease or a cut in financial aid for the press.

The goal of this code of good practices is to attempt to reset the economic balance in the relations between publishers and photographers (and/or their agencies), since the situation of the latter has been consistently deteriorating.

The key points of the code are the following:

  • Photographic credits. It will be possible to ask the publisher, in the event of a total lack of credit, for damages at least equal to the license fee for the photograph in question. That amount is reduced to 50% of such license fee in the event of an incomplete or erroneous credit.Furthermore, use of the credit “all rights reserved” must be limited to the sole situation in which the photographer or the agency does not wish for their name to be public, or when the author of the photograph cannot be identified, despite real research efforts on the part of the publisher. If the photograph comes from a third party but does not bear the name of its author, the publisher shall at least mention its source. If the “all rights reserved” credit remains even after having identified the photographer, it will be possible to ask the publisher for damages.
  • Compensation of photographers and agencies.
  • Assignment of rights.
  • The rules regarding the shared responsibility between publishers on the one hand, and agencies and photographers on the other hand, in the event of claims arising from the publication of the photograph.In this respect, the code provides that the people involved in the creation, distribution, or publication of the photograph, can only be found liable in the limited cases provided for by the law. For instance, publishers can be held liable when they write the caption of a photograph themselves, or disregard the meaning of the one that is given to them when they use the photograph in an article that has no relation with what it represents, or when using the photograph would lead the viewer to believe that the person photographed is the one the article it is attached to is about.On the other hand, agencies and photographers can be held liable when they do not have certain authorizations (from the photographer for the agencies, from persons or owners of objects for photographers), when they do not provide captions, or provide an erroneous one.
  • The implementation of a common standard for the definition and the transmission of metadata, or the affixing of digital protection measures on the photographs in order to prevent or limit their download and re-exploitation without authorization. This common standard shall be the subject of a specific agreement between the parties, to be entered into within twelve months of the signature of the code.

However, despite the apparent goodwill of the code, it has been widely criticized and numerous journalists’ unions like the SNJ (National Union of Journalists), the SNJ-CGT, the CDFT Journalistes, the SNJ-FO, and certain photographers’ organizations like the UPP (Union of Professional Photographers) have refused to sign it.

According to them, the code “does not provide any solution to the catastrophic social situation of an agonizing profession and will, on the contrary, ensure the durability of practices that cut the input of editorial photography to the news”.

The future of these negotiations should thus be followed closely.

 

You can find this code here.

 

0

Last October 21st, the ECJ expanded its case law regarding the online sharing of content previously released on the Internet by extending it to embedding, effectively rendering such case law consistent with previous decisions regarding hyperlinks.

In the Svensson decision dated February 13th, 2014 (C-466/12), the ECJ ruled that the practice of broadcasting a hyperlink without the author’s authorization does not constitute an infringement of author’s rights when such initial content had been previously published without restrictions. According to the Court, the new publication made via hyperlink does not constitute either a communication via different technical means, or a communication to a new public. The premise of the Court’s ruling was that, in each instance, the entirety of Internet users were freely able to access such content and accordingly there was no basis for an infringement claim.

In Bestwater, the Court applied the same reasoning to embedding, a technique that consists of inserting in the frame of a web page, an element originating from another website. This technique is widely used and enables Internet users to access content from another website without having to leave the original website they came to visit.

BestWater, a German company noticed that videos which it originally published on the video platform YouTube, were copied via embedding onto the websites of its competitors, and therefore asked the German courts to order that these videos be taken down.

After opposite decisions rendered by the trial court and court of appeals, the German Supreme Court, the Bundesgerichtshof, decided to refer the case to the ECJ for its determination as to whether, according to article 3 of the 2001/29 Directive, embedding content without the rights holders’ permission qualified as a “communication to the public” and therefore an infringement of the author’s rights.

The judges of the ECJ unequivocally answered no to that question, explaining that in order for there to be a “communication to the public” according to the directive, the content needs to be:

  •  communicated via a “specific technical mode, different from those previously employed, or
  • communicated to a “new public i.e. a public that has not already been targeted by the rights holders when they authorized the initial communication to the public of their work”.

However in “BestWater”, the embedding technique used to communicate the work was not a different technique and the targeted public was not new given that the same content was already available to the Internet users on another website with the authorization of the rights holders”.

The Court added that, in authorizing the publication of the relevant content via the video platform YouTube, the rights holders had already targeted the entire Internet community of users. Given the rights holders’ decision not to avail themselves of a wide array of means to privatize content on the Internet, the public must accordingly be deemed as all Internet users, and not only the visitors of the website.

The Court concluded that embedding content does not constitute a “communication to the public” and therefore an infringement upon the author’s rights if such content was originally published on the Internet with no restrictions.

It is worth noting that if embedding does not constitute public performance, the ECJ acknowledges that it allows for the bypass of provisions relating to reproduction rights.

The ECJ’s ruling is consistent with the decision rendered in 2012 by the 7th Circuit, Flava Works Inc. v. Gunter wherein Judge Posner held that embedding does not constitute copyright infringement as the embedding by the website myVidster was solely a connector between the server that hosts the video, and the computer of the website user. Accordingly, such embedding does not constitute copyright infringement given the absence of any form of copying or distribution of, copies of protected works.

 

0

The French Parliament has recently passed a new law relating to infringement of intellectual property rights. Enacted on March 11th, 2014. The effect of this law is to harmonize numerous provisions applicable to the various intellectual property rights which were previously subject to different rules. It also clarifies some of the unclear dispositions contained in the previous infringement law dated October 29th, 2007.

Noteworthy provisions include:

  • The statutes of limitations for civil infringement proceedings are harmonized to 5 years for all IP rights. The statutes of limitations were previously of either 3 or 5 years: 3 years for patents, trademarks and designs, and 5 years for authors’ rights.
  • Discovery proceedings (“saisie-contrefaçon”) are harmonized for all intellectual property rights. The new legislation erases some specificities relating to authors rights, such as the possibility that the discovery proceedings be performed by a police officer at the request of the allegedly infringed party. Now, only the President of the “Tribunal de Grande Instance” may order discovery proceedings.
  • The right to information for the infringed party is strengthened: a court having jurisdiction in the subject matter may, including by way of summary judgment, order a party to communicate information and documents relating to the allegedly infringing products before the court rules on the infringement itself;
  • The method of calculation of damages awarded to the rights holder has been clarified. Courts will have to separately take into account the negative consequences of the infringement on the infringed party, which may include not only economic and actual losses but also other damages such as moral damages which may have been suffered because of the infringement) as well as profits made by the infringer. Courts may also, at the infringed party’s request, grant him or her a lump sum of money, which must be greater than the amount of royalties the infringer would have had to pay had he requested authorization from the rights holder to exploit the intellectual property rights.

This law also permits French customs to act more efficiently by improving, amongst other things, the procedures for detention under customs control.

While we obviously have to wait and see how courts will implement this new legislation, it would appear that such changes are beneficial for professionals and rights holders given that it simplifies a plaintiff’s legal recourse against infringing third parties.

0

On February 28th, 2014, the 28 EU Member States enacted a directive regarding the collective management of copyrights and neighboring rights.

This directive harmonizes, at the European level, the rules regulating the functioning of collective management societies, and in particular the rights holders’ membership to such societies (rights holders are entitled to limit the types of works, the rights as well as the territories covered by the collective management scheme, and may elect the collective management of their choosing notwithstanding their nationalities or place of residence), the governance and transparency of such societies towards their members (obligation to communicate information), and the payment of royalties by such societies to their members (regular payments at the earliest opportunity in no event later than nine months following the end of the fiscal year).

This new legislation is also aimed at facilitating the grant of multi-territorial licenses for online use of musical works within the European Union. Each online music platform (such as Deezer or Spotify) will therefore be able to obtain a pan-European license to use a work from a single collective management society instead of having to deal with a different collective management society for each Member State.

The Member States are required to implement this directive in their national systems before April 10th, 2016. In the meantime, collective management societies in each Member States should enter into competition with respect to rights holders’ memberships and the grant of pan-European licenses.

0

A photographer employed by a photography studio may not claim author’s rights for photographs he took while so employed.

The French Court of Appeals of Paris held, on January 15th, 2014, that the photographs taken by said photographer pursuant to the instructions of his employer, and in collaboration with his colleagues, must be treated as collective works i.e. that such photographs were created and completed by various individuals pursuant to the specific instructions of the Studio and thus the Studio Harcourt was the exclusive owner of such photographs, including all author’s rights therein.

This decision is rather surprising given that the photographer had previously entered into an agreement with the Studio Harcourt pursuant to which he transferred his authors’ rights. The parties’ determination to enter into such an agreement could be considered as a mutual acknowledgement by the parties’ that such photographs were indeed not collective works.

Given that the Court determined that the photographs were collective works, the photographer had no legal right to any contingent compensation from the exploitation of such photos nor was he entitled to be credited as the author thereof, unless otherwise agreed to by the parties.

In its decision, the Court noted that the photographer’s contribution blended with the contribution of the studio’s other employees, such as those in charge of lighting, makeup, and photo-retouching, who all work to convey the “Harcourt style”, “especially coded” and representative of the photographs taken and exploited by the Studio Harcourt.

This decision is in line with recent French case law, which tends to qualify as collective works those works which are created by employees within the scope of their duties and pursuant to their employer’s instructions.

0

The new consumer legislation (entitled “Loi Hamon”) passed on March 17th, 2014 strengthens e-traders’ obligations towards consumers. Notably, this legislation implements in France certain consumer protection provisions enacted at the European level.

Noteworthy provisions include:

  • An obligation to provide additional information to the consumer prior to contract, such as information on the product, the e-trader, the means of payment, and the obligation to expressly mention that the order is subject to payment (while this last obligation may seem superfluous to a French consumer, it stems from a willingness to harmonize the rules applicable in each EU Member States; German consumers, for example, are accustomed to paying for an order at the time of delivery);
  • Obligation for the e-traders to specify the delivery date or delivery estimate (if silent, the e-traders will have to deliver within 30 days);
  • Extension of the withdrawal period (from 7 days to 14 days);
  • Reimbursement to the consumer to occur within 14 days (instead of 30 days) (notably in situations where the consumer exercises his right of withdrawal); and
  • Prohibition on the e-traders to add goods or services to the consumer’s order by pre-ticking boxes relating to such goods or services.

Further, the e-traders are now prohibited from telephone soliciting any consumer who has indicated that he or she does not want to be solicited, and from using unlisted and blocked telephone numbers in contacting consumers.

All of these provisions came into force on June 14th, 2014. Each e-trader must therefore ensure that the content of its websites as well as its sales contracts and general terms and conditions comply with these terms.

0

The drama series “Intime Conviction”, aired on television channel Arte and on Arte’s website, has been banned from broadcast in France. On February 27th, 2014, a French Court (the Tribunal de Grande Instance of Paris) ordered the broadcaster and Maha Productions (the producer) to refrain from further broadcasting the program after Dr. Jean-Louis Muller took legal action and requested summary judgment claiming that the program invaded on his right to privacy. The Court of Appeals of Paris confirmed the lower court’s ruling on February 28, 2014.

Dr. Muller, a forensic pathologist charged with his wife’s murder in 2001, inspired the series’ screenplay. Dr Muller was acquitted on October 31st 2013 by the highest French Criminal Court (Cour d’Assises of Meurthe et Moselle), and the decision is not subject to appeal.

The first part of the series was formatted as a television movie and broadcast on Arte on February 14th, 2014. The story revolved around a police investigation following the fatal shooting of a woman by her husband, a forensic pathologist, and his arrest for her murder. The second part of the series was scheduled to be broadcast on the Internet between February 14th and March 2nd, 2014 under the format of 35 short programs, retracing the proceedings before the Criminal Court. The trial was to be interactive and Internet users were throughout the proceedings invited to give their opinion on the guilt or innocence of the accused. The trial was to end with the broadcast of the verdict reached by Internet users.

However, the Court of Appeals of Paris prohibited the broadcast. The Court ruled that while certain facts relating to Dr Muller’s personal life may have been disclosed during his trial, those facts could not lawfully be used in a dramatized program (as opposed to a documentary or a news article) and that the facts were intermingled with fictionalized facts encroaching on Dr Muller’s personal life, without the program clearly distinguishing between reality and fiction.

In light of such decision, producers wishing to produce a drama program inspired by actual legal proceedings must therefore ensure that said legal proceedings, and the identities of the persons involved, are not easily recognizable by the viewers. If so, the producer must restrain from including the following in the drama program:

  • facts not disclosed during the legal proceedings to the extent they violate an individual’s right to privacy;
  • and/or fictionalized facts presented as actual facts, since it constitutes a violation of an individual’s right to privacy.

0